Breaking Changes

Our general philosophy for the Chrome extensions system is to try hard to avoid breaking (ie backwards-incompatible) changes. Over time we've discussed a number of ideas for improvements based on actual experience with the extensions system that would require breaking backwards compatibility. Ideally we'd do them all together in one big batch to minimize developer pain.

In no particular order, here's a list of these ideas. Some require changes to the manifest format, and some change the behavior of existing APIs.

We want to reduce the need for background pages to help save memory, and some ideas for how to do this require breaking changes. See a list of related bugs.

We might want to design for extensibility in these fields, for example to allow things like adding an optional "why"/"justification" field for each permission.

Also, for some API's such as spell checking, you want to grant permissions at the host level to get events on input into text boxes but don't necessarily want the ability to do cross-origin XHR or chrome.tabs.executeScript.

(aa says:) In that case, the permission should be different. A host permission means authenticated access to the host. We shouldn't twist the meaning per-API.

Improve security in content scripts by either forcing the following behaviors, or making them the default with explicit developer opt-out:

If a content script injects a <script> tag into the DOM, only allow it if the src is an https url

Split permissions into read and write (Context: captureVisibleTab really requires <all_urls> because iframes can have content from any site, but we don't want to require screenshot extensions to get write-all permissions when they don't need/want it. There may be other cases like this.)

Move tabs.captureVisibleTab into its own top-level permission to simplify concerns with iframe permissions

Unify our handling for abbreviations like URL - we have functions named getURL, setUpdateUrlData, addUrl, etc. We should standardize on URL or Url.

Have a "tabs_simple" or "tabs_light" permission for things like chrome.tabs.{create,update,remove,onRemoved}

Allow extensions to have opt-in "public" pages that can be loaded in iframes, window.open, etc. from within other origins, and make pages private by default.

Fix the port madness in URLPattern. Can we make all URLPatterns support ports? I believe right now, most cases of URLPatterns make ports an error, which means we can make it work without a breaking change. But in a few cases, ports are silently allowed for backward compatibility. Fixing this would be the breaking change.

Change chrome://favicon/ to a new scheme chrome-favicon:// (this was the root of a security bug, http://crbug.com/83010)

We should just make this a separate top-level API permission. We don't need or want authenticated access to these origins - we just want the icons.